Course description

CS 5430 discusses security for computers and networked information systems.
It focuses on principles and techniques for implementing military as well
as commercial-grade secure systems. The practicum, CS 5431, sits at the intersection of computer
security and software engineering. It is designed to give students
practical experience with building a software system and securing it.

This course is not about the pragmatics of attacking computer systems. If
you're looking for black hat training, look elsewhere.

Staff

The schedule of consulting hours and instructor office hours will be posted on Piazza.
There are no consulting or office hours during official breaks.
Consulting and office hours end on the last day of classes.

Communication

We use Piazza for announcements and Q&A in both CS 5430 and CS 5431.
There is a single Piazza forum (under the CS 5430 course number) for
both CS 5430 and CS 5431.
You can sign up at http://www.piazza.com/cornell/spring2016/cs5430.
You are responsible for familiarizing yourself with all announcements
made on Piazza.
The course staff continuously monitor the forum and will respond to questions
in a timely manner.
This is the most efficient method of getting help and has the
added advantage that others can benefit from your question.
If you know the answer to a question, feel free to post a reply yourself.
Avoid giving away any hints on the homework or posting any part of a solution;
this will be considered a violation of Academic Integrity.

We use CMS for submission of assignments and for grading.
There are separate courses in CMS for CS 5430 and CS 5431.
Make sure you can login to http://cms.csuglab.cornell.edu/
and see CS 5430 (and CS 5431, if you are in the practicum). If you cannot access the course, please verify with the Registrar that you are
enrolled in the course. We will not add students to CMS until they are enrolled with the Registrar.

Refrain from emailing the course staff directly.
Instead, post either a public or a private question to Piazza.
This is the most effective way for the course staff to manage
communication in a large course.
Please refrain from making posts that are private only to the professor, and
note that neither email nor Piazza is an appropriate channel for discussion
of grades—such discussions should occur in person.

Prerequisites

For CS 5430, you need to have a broad understanding of organization and
programming of computer systems. Students who have taken a senior-level
systems course, such as Cornell's CS 4410 and its transitive prerequisites,
should be well positioned to take CS 5430. Knowledge of operating systems,
computer networks, and cryptography will be helpful.
Assignments might require the use of standard tools and languages such as C,
Unix, web servers, etc. You
either need to be familiar with these technologies or to be committed to
investing extra time to learn them as you go. (Part of becoming a
professional computer scientist is learning to adapt quickly to new
technologies.)

For CS 5431, the foremost prerequisite is that you need to be a programmer.
Students who are not already accomplished in a modern high
level language will not be equipped to succeed in the practicum.
In previous semesters, projects averaged about 5,000 lines of code, with
individual students typically contributing around 2,000–2,500 lines of code.

Course materials

The following optional textbooks have a large
intersection with what we will cover in CS 5430:

Exams

There will be no preliminary exams. There will be a final exam as scheduled
by the Registrar.

Assignments

Assignments in this course are deliberately
underspecified, open-ended, and motivated by
problems that arise in the real world—messy
as it is—as is consistent with the
upper-level, professional, and practical
orientation of this course. You will have to
think on your own, build tools, refine
problem specifications, make reasonable and
defensible assumptions, and be creative.
Success in this course, as in life, depends
heavily on you figuring out what's important
and concentrating on that.

There will be approximately seven homework assignments, which may
include written problems, programming problems, and optional karma problems.
Unless otherwise specified, assignments may be turned in after the deadline with the following
penalty applied to the score received:

1 day late (i.e., immediately after the deadline up to 24 hours later): −10%

2 days late: −25%

3 days late: −50%

>3 days late: −100% (we won't grade it)

Extensions will be granted only in exceptional circumstances, such as
documented illness, and are handled exclusively by the instructor.
Extensions will not be granted for job interviews or large workloads
in other courses.

Here are a few words of caution about CMS and late submissions:

The deadline for an assignment is not the time by which you
must finish writing a solution; rather, it is the time by which
you must successfully upload your solution files to CMS and confirm that
CMS has recorded the correct versions of those files. CMS might lag near
the deadline as many students attempt to upload their submissions
at the last minute, perhaps even causing your submission to
be marked as late. That is your problem. Requests to have a penalty
removed because CMS lagged near the deadline will be denied. We recommend
that you upload your files at least one hour before the deadline.

In this course, CMS will be configured with no grace period, so that
you can best predict exactly when deadlines occur.

You must submit your work through CMS; email submissions, whether late or
on time, will be deleted.

CMS enables you to upload as many times as you wish before submissions are closed.
Only the most recent version, with the appropriate late penalty, will be graded.
Requests to have the course staff grade earlier versions (with or without a penalty)
will be denied.

It is your responsibility to verify before the deadline that you have
submitted the intended versions of your files. Requests to
substitute another version (e.g., "I accidentally submitted
the wrong files") will be denied.

We sincerely regret having to enforce these policies, but
the administrative overhead associated with late submissions
has become too great. And sorting out
whether students are unfairly trying to work past the deadline (while
unjustly blaming CMS) is not feasible.

Regrades

Regrades are intended to correct serious errors in grading, not to dispute
judgment calls made by graders. Graders do sometimes take off a couple extra
points too many, but they just as often give a couple extra points too many.
In our experience, exceptionally few regrades requests would
actually make a difference in the final course grade.
So rather than all of us obsessing over regrades, we'd prefer that you spend your time
on doing well on the next assignment, and that we spend our time on
developing the next assignment.

Do feel free to meet with the course staff
if you cannot understand the written comments the grader provided on your solution.
But the grade on your solution and/or changes to the grade are "out of bounds"
topics for discussion at that meeting, with one exception: grading mistakes of a purely arithmetic
nature (e.g., the grader wrote that they were deducting 5 points but entered a deduction
of 6 into CMS) can be fixed on the spot, without needing to follow the process below.

If you decide that a serious mistake was made in grading your assignment,
then we would be happy to fix it. Here is the process:

Prepare a written regrade request by filling out this
regrade request form.
Attach hardcopies of your entire original solution and
the entire grading comments. Your request needs to demonstrate
that there was an error in grading, and that you understand
the correct answer.

Submit that request to Professor Clarkson or to his
administrative assistant (Randy Hess).

Be patient. Regrade requests receive lower priority than
any other active grading.

Professor Clarkson will read your written request, consider its merits, and make
a decision about a grade change.
The grade on your assignment might increase, decrease, or remain unchanged as
a result of the additional scrutiny the regrade request engenders.

Note that this process is entirely written.
We will not discuss regrades with you in person; for sake of
consistency in grading (hence fairness), we prefer to handle
all the regrades for a given assignment at one time.

The deadline for submitting a regrade request is one week after
you receive the original grade. Requests submitted after
that will be denied without consideration of their merits.

Resist the temptation to use regrade requests as a means to fish for a better grade.
Here are two words of caution:

Any regrade request that we perceive to be specious
will inspire increased rigor in rechecking your
submission, and that often leads to a grade reduction.
The course staff will go to great lengths to help you understand the course content;
we are considerably less enthusiastic about discussing how what you wrote
could be stretched to mean the right answer.

We track all regrade requests that
are submitted throughout the semester.
When we determine final course grades, we look carefully at students
who are near the cutoffs between letter grades to see whether
any extra consideration is warranted for adjusting their grade
up or down. Abuse of regrade requests will factor heavily into
this extra consideration.

We sincerely regret having to enforce this policy, but regrades
have become an unjustifiable amount of work—both
yours and ours—with little benefit to anyone.

Practicum

Students in the practicum (CS 5431) will gain additional practical knowledge
of security through two activities:

A semester-long team software development project.

Weekly discussions of recent real-world attacks as
described in the Pfleeger & Pfleeger textbook. Each
student will prepare and lead a discussion of one chapter from
that book. All students are expected to attend and participate
in the discussions.

Students enrolled in CS 5431 must also be enrolled in CS 5430.

Academic Integrity

Absolute integrity is expected of every Cornell student in all
academic undertakings. If you are unsure about what is
permissible and what is not, please ask.

You are responsible for understanding these university, departmental, and course policies:

Integrity includes you being honest about the sources of the work you
submit. When you submit work in this course, you are representing it as the
work of the stated authors (i.e., the members of the CMS group who submitted it)
subject to any exceptions that are clearly stated in the submission itself.
To avoid committing plagiarism, simply be sure always to accurately credit
your sources. To do otherwise is to commit fraud by claiming credit for the
ideas and efforts of others, and that is punishable under the Code of Academic Integrity.

Grades, on the other hand,
are about the course staff assessing what you have learned. If you turn in
someone else's work for course credit, and forthrightly acknowledge
you are doing so, you are not acting dishonestly and are not
violating academic integrity. But you also give us
no basis for concluding that you have learned the course content.
We recommend the following rule of thumb:
Never look at any other students' solutions, or have
their solutions in your possession, in any portion or form whatsoever.
Also never share your solutions with other students.

Grades

We expect the breakdown for the overall course grade in CS 5430 to be as follows:

Assignments: 60%

Final exam: 30%

Other factors: 10%

We expect the breakdown for the overall course grade in CS 5431 to be as follows:

Project: 65%

Attendance at 5431 events: 15%

Leading one discussion: 10%

Other factors: 10%

Assignments in CS 5430 are weighted equally, and your lowest assignment score
will be dropped.
Other factors include participation on Piazza,
appearance at office hours, submission of course evaluations,
and any means by
which you have demonstrated mastery of course content.
This portion of the grade typically affects only a
handful of students, raising or lowering their final
course grade by 1/3 letter grade.